Detection and Containment

Question 1

The OODA Loop is a decision-making model created to help responders think
clearly during the “fog of war”

Answer 1

OODA Loop

Question 2

OODA Loop

Answer 2

Observe
Orient
Decide
Act

Question 3

Observe

Answer 3

Observe

Question 4

Involves reflecting on what has been found during observations and considering
what should be done next

Answer 4

Orient

Question 5

Makes suggestions towards an action or response plan while taking into
consideration all of the potential outcomes

Answer 5

Decide

Question 6

Carry out the decision and related changes that need to be made in response to
the decision

Answer 6

Act

Question 7

Defensive Capabilities

Answer 7

Detect
Destroy
Degrade
Disrupt
Deny
Deceive

Question 8

Identify the presence of an adversary and the resources at their
disposal

Answer 8

Detect

Question 9

Render an adversary’s resources permanently useless or ineffective

Answer 9

Destroy

Question 10

Reduce an adversary’s capabilities or functionality, perhaps temporarily

Answer 10

Degrade

Question 11

Interrupt an adversary’s communications or frustrate or confuse their
efforts

Answer 11

Disrupt

Question 12

Prevent an adversary from learning about your capabilities or accessing
your information assets

Answer 12

Deny

Question 13

Supply false information to distort the adversary’s understanding and
awareness

Answer 13

Deceive

Question 14

Determine if an incident has taken place, triage it, and notify relevant
stakeholders

Answer 14

Detection and Analysis

Question 15

Triage and categorization are done based on an impact-based or taxonomy-based
approach

Answer 15

Impact-based Approach
Taxonomy-based Approach

Question 16

A categorization approach that focuses on the severity of an incident,
such as emergency, significant, moderate, or low

Answer 16

Impact-based Approach

Question 17

An approach that defines incident categories at the top level, such as
worm outbreak, phishing attempt, DDoS, external host/account
compromise, or internal privilege abuse

Answer 17

Taxonomy-based Approach

Question 18

An incident that affects mission essential functions and therefore the organization
cannot operate as intended

Answer 18

Organizational Impact

Question 19

An incident that is limited in scope to a single department, small user group, or a
few systems

Answer 19

Localized Impact

Question 20

An incident measurement based on the direct costs incurred because of an
incident, such as downtime, asset damage, penalties, and fees

Answer 20

Immediate Impact

Question 21

An incident measurement based on the costs that arise both during and following
the incident, including damage to the company’s reputation

Answer 21

Total Impact

Question 22

Any incident where data is modified or loses integrity

Answer 22

Data Integrity

Question 23

Incidents that disrupt or threaten a mission essential business function

Answer 23

System Process Criticality

Question 24

An incident that degrades or interrupts the availability of an asset, system, or
business process

Answer 24

Downtime

Question 25

An incident that creates short-term or long-term costs

Answer 25

Economic

Question 26

An incident that is linked to the TTP of known adversary groups with extensive
capabilities

Answer 26

Data Correlation

Question 27

An incident which the capabilities of the malware are discovered to be linked to
an adversary group

Answer 27

Reverse Engineering

Question 28

An incident which requires extensive recovery time due to its scope or severity

Answer 28

Recovery Time

Question 29

An incident which was not discovered quickly

Answer 29

Detection Time

Question 30

Rapid containment is important to an incident response
Limit the scope and magnitude of the incident by securing data and limiting
impact to business operations and your customers

Answer 30

Containment

Question 31

A mitigation strategy that involves removing an affected component from
whatever larger environment it is a part of

Answer 31

Isolation

Question 32

A mitigation strategy that achieves the isolation of a host or group of hosts using
network technologies and architecture

Answer 32

Segmentation